Fixed an issue where the GlobalProtect™ app incorrectly displays a warning (

Password Warning:Password expires in 0 days

) even though the password has not, yet, expired.

Fixed an issue where the firewall incorrectly dropped GTPv2-C Modify Bearer Response packets due to a sequence-number mismatch.

Fixed an issue where a configuration change commit was accepted when only one virtual wire (vwire) interface was defined in a vwire pair. With this fix, a commit for a change where only one vwire interface is defined for a vwire pair is rejected and an error message is displayed.

Fixed an issue where the dataplane stopped responding when a tunnel interface on the firewall received fragmented packets.

Fixed an issue where NetFlow caused an invalid memory-access issue that caused the

pan_task

process to stop responding.

Fixed an issue where the firewall incorrectly dropped ARP packets and increased the

flow_arp_throttle

counter.

Fixed an issue in an HA active/active virtual wire configuration where a race condition caused the firewall to intermittently drop First SYN packets when they traversed the HA3 link.

Fixed an issue where a firewall frequently flapped a BGP session when the firewall did not receive any response from the BFD peer or when BFD was configured only on the firewall.

Fixed an issue where searching through pcaps from a Log Collector in a configuration with multiple Log Collectors took longer than expected.

Fixed an issue on Panorama™ where generating a threat pcap from the web interface (

Monitor

tab) took longer than expected and caused the web interface and CLI to become inaccessible.

Fixed an issue where Panorama displayed a

File not found

error when you attempted to view or download Threat packet captures (pcaps) from the

Monitor

tab.

Fixed an issue on a firewall with GTP stateful inspection enabled where the firewall incorrectly identified GTP echo packets as GTP-U application packets.

Fixed an issue on PA-3000 Series, PA-3200 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls where Captive Portal was inaccessible for traffic on Secure HTTP (https) websites when SSL decryption was enabled and users were behind a proxy server.

Fixed an issue where device-group operations were discarded when a concurrent commit was triggered by a different administrator.

Fixed an issue where a firewall in a high availability (HA) active/active virtual wire (vwire) configuration with SSL decryption enabled passed traffic through the wrong firewall.

Fixed an intermittent issue where detecting an unreachable WF-500 node took longer than expected.

Fixed an issue where administrators were required to perform a commit force before pushing a partial or regular commit operation to managed appliances when the management server (

mgmtsrvr

) or configuration (

configd

) process encountered a virtual memory leak and restarted.

Fixed an issue with an incorrect policy match because Google-docs-base was incorrectly identified as SSL.

Fixed an issue where, after end users successfully authenticated for access to a service or application, their web browsers briefly displayed a page indicating authentication completed and then they were redirected to an unknown URL that the user did not specify.

Fixed an issue where the DNS proxy process failed due to a DNS response packet containing a TXT resource record with length = 0.

A security-related fix was made to prevent HTTP Header Injection in the Captive Portal.

Fixed an issue in a non-vsys configuration where a firewall dropped the Client Hello packet from tunneled traffic when inbound decryption was enabled because the firewall considered that packet to be an inter-vsys inbound packet.

Fixed an issue where a commit took significantly longer than expected when cloning a rule compared to when configuring a new rule when the configuration contained a large number of rules.

Fixed an issue where the

show routing protocol bgp rib-out

CLI command did not display advertised routes that the firewall sent to the BGP peer. This issue was observed only in a deployment where a firewall is connected to a Border Gateway Protocol (BGP) peer that advertised a route for which the next hop is not in the same subnetwork as the BGP peer interface.

Fixed an issue where firewalls in an HA active/active configuration with a default session setup and owner configuration dropped packets in a GlobalProtect VPN tunnel that used a floating IP address.

Fixed an issue where Q-in-Q-tagged packets passed through a firewall without inspection or session creation.

Fixed an issue where a firewall dropped SIP-RTP packets flowing through a GRE tunnel when a Tunnel Inspection Policy was configured with Security Options (Tunnel Inspection zones).

Fixed an issue where browsers failed to load custom response pages on decrypted websites when those pages were larger than 8,191 bytes. With this fix, the firewall supports decryption of custom response pages up to 17,999 bytes.

Fixed an issue where the firewall revealed part of a password in cleartext on the command-line interface (CLI) and management server (

mgmtsrvr

) log when an administrator attempted to set a password that exceeded the maximum number of characters (31) using the CLI. With this fix, the firewall reports an error when an administrator attempts to set a password that contains more than 31 characters without revealing any part of the actual password.

Fixed an issue where using the

test nat-policy-match

command from the XML API does not result in any matches when the matching policy is a destination NAT policy.

Fixed an issue where a firewall sent packets out of order when the sending rate was too high.

Fixed an issue where imported custom applications did not display in Security Policies that were created through the web interface.

Fixed an issue on PA-220 firewalls where either a commit or an EDLRefresh job failed with the following error message:

failed to handle CONFIG_UPDATE_START

. This issue occurred after an increase in the number of type URL entries in an external dynamic list.

Fixed an issue on Panorama Log Collectors where the

show system masterkey-properties

CLI command did not display the master key lifetime and reminder settings.

Fixed an issue where the firewall did not correctly re-learn a User-ID™ mapping after that mapping was temporarily lost and recovered through successful WMI probing.

Fixed an issue on PA-800 Series, PA-3200 Series, and PA-5200 Series firewalls where tunnel-bound traffic was incorrectly routed through an ECMP route instead of a PBF route as expected.

Fixed an issue where the default static route was not present in the routing table after you removed the DHCP-provided default gateway when you configured a default static route and DHCP provided the same default route.

Fixed an issue on Log Collectors where the

show log-collector serial-number

<LC_serial_number>

CLI command displayed log ages that exceeded log expiration periods.

Fixed an issue where the default view and maximized view of the Application Usage report (

ACC

Network Activity

) didn't display matching values when you set the

Time

to

Last 12 Hrs

or a longer period.

Fixed an issue when QoS was configured where the dataplane restarted due to a packet process failure.

Fixed an issue on firewalls deployed in virtual wire mode where SSL decryption failed due to a memory pool allocation failure.

(

GlobalProtect configurations on PAN-OS 8.0.8 and later releases only

) Fixed an issue where a configured Layer 3 interface erroneously opened ports 28869/tcp and 28870/tcp on the IP address assigned to that Layer 3 interface.

Fixed an issue on an M-100 appliance where logging stopped when a process (

vldmgr

) stopped responding.

Fixed an issue where the management server (

mgmtsrvr

) process on the firewall restarted when you pushed configurations from the Panorama management server.

Fixed an issue where a null-pointer exception caused the device server (“devsrv”) process on the management plane to restart.

Fixed an issue where the firewall applied the wrong checksum when a re-transmitted packet in a NAT session had different TCP flags, which caused the recipient to drop those packets.

Fixed an issue where the non-session-owner firewall in a high availability (HA) active/active configuration with asymmetric traffic flow dropped TCP traffic when TCP reassembly failed.

Fixed an intermittent issue where NAT traffic was dropped when NAT parameters were introduced or changed in the path between the LSVPN GlobalProtect gateway and the GlobalProtect satellite. To leverage this fix in your network, you must also enable Tunnel Monitoring on the GlobalProtect Gateway (“Network > GlobalProtect > Gateways > <”gp-gateway”> > Satellite > Tunnel Settings”).

Fixed an issue that occurred during the reboot process and caused some firewalls to go in to maintenance mode.

Fixed an issue where the PAN-OS XML API returned the same job IDs for all report jobs on the firewall. With this fix, the PAN-OS XML API returns the correct job ID for each report job.

Fixed an issue where the firewall displayed a continue-and-override response page when users tried to access a URL that the firewall incorrectly categorized as unknown because it learned the URL field as an IP address.

Fixed an issue where the Panorama management server didn't display log data in

Monitor

Logs

, the

ACC

tab, or reports when Panorama was in a different timezone than the Dedicated Log Collectors because Panorama applied the wrong time filter.

Fixed an issue during the software download process that prevented some firewalls and appliances from properly receiving these images.

Fixed an issue where GlobalProtect users could not access some websites decrypted by the firewall due to an issue with premature deletion of proxy sessions.

Fixed an issue where client connections initiated with HTTP/2 failed during SSL Inbound Inspection decryption because the firewall removed the Application-Layer Protocol Negotiation (ALPN) extension within the server hello packet instead of forwarding the extension to the client.

Fixed an issue where an Aggregate Ethernet (AE) interface with Link Aggregation Control Protocol (LACP) enabled on the firewall went down after a cisco-nexus primary virtual port channel (vPC) switch LACP peer rebooted and came back up.

Fixed an issue where IP addresses for predefined External Dynamic Lists were not displayed on the web interface.

An enhancement was made to improve compatibility for the HTTP log forwarding feature so that you can specify the TLS version that the HTTP log forwarding feature uses to connect to the HTTP server. To specify the version, use the

debug system https-settings tls-version

CLI command. (To view the currently specified version, use the

debug system https-settings

command.)

Fixed an issue where PA-7000 Series and PA-5200 Series firewalls didn't properly

Rematch all sessions on config policy change

for offloaded sessions (

Device

Setup

Session

).

Fixed an issue where automatic commits failed after you configured Security policy rules that referenced region objects for the source or destination and then upgraded the PAN-OS software.

Fixed an issue where the firewall was unable to verify a signature and marked the response as unavailable when the OCSP responder signed the response and sent it to the OCSP client but did not include the certificate.

Fixed an issue where some ICMP Type 4 traffic was not blocked as expected after you created a deny Security policy rule with custom App-ID for ICMP Type 4 traffic.

(

PA-3060, PA-3050, PA-5000 Series, PA-5200 Series, and PA-7000 Series firewalls only

) Fixed an issue where Threat logs displayed an

Other IP Flood

message instead of identifying the threat name of the correct protocol (such as

TCPFlood

) when traffic reached the configured SYN flood max-rate threshold (

Objects

Security Profiles

DoS Protection

<DoS_Protection_profile>

Flood Protection

SYN Flood

).

Fixed a rare issue where a commit caused the disk to become full due to an incorrect disk quota-size value, which caused the firewall to behave unpredictably (for example, the web interface and CLI became unresponsive).

A security-related fix was made to address a Cross-Site Scripting (XSS) vulnerability in the PAN-OS response to a GlobalProtect gateway (CVE-2018-10139).

Fixed an issue with scheduled log exports that prevented firewalls running in FIPS-CC mode from successfully exporting the logs using Secure Copy (SCP).

Fixed an issue where the default QoS profile limited the available bandwidth to 10Gbps when you specifically applied the profile to the ae2 interface; this issue occurred regardless of the bandwidth setting you configured specifically for that profile.

Fixed an issue where the Panorama management server did not run

ACC

reports or custom reports because the

reportd

process stopped responding when an administrator tried to access a device group to which that administrator did not have access.

Fixed an issue where an error was displayed when filtering the threat log because the buffer was cleared before prepending the query strings to it.

Fixed an issue where firewalls were unable to connect to a log collector after you modified the Log Forwarding Preferences (

Panorama

Collector Groups

<group>

Device Log Forwarding

).

Fixed an issue where an SSL session was reset after displaying the SSL decryption opt-out page regardless whether the user chose

Yes

or

No

.

Fixed an issue where administrators could perform a commit lock through the API but could not remove the lock using the same API account credentials on the web interface.

A protocol-related fix was made to address a bug in the OSPF protocol.

Fixed an issue in a bi-directional User-ID redistribution configuration where the User-ID (

useridd

) process stopped responding when same IP address was continually associated with different usernames, which caused the IP address-to-username mapping to continually sync between firewalls.

Fixed an issue where expiration of the Captive Portal browser-session cookie was incorrectly set on the browser to 24 hours by default. With this fix, the Captive Portal browser-session cookie expires when the browser session is terminated.